💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CRYPT › crptltr11.vir captured on 2022-06-12 at 10:44:10.
-=-=-=-=-=-=-
??? ???????? ??? ?????? ?? ?? ??? ????? ??????? ?????
???? ????????? ???? ??????? ???? ???? ???? ?????? ???????? ??????
???? ???????? ???? ???????? ???? ???? ???? ??????? ??????? ?????
???? ???? ???????? ???? ???? ???? ??????? ????
???? ???? ??????? ?? ???? ???? ?????? ????
???? ???? ???????? ???? ???? ????? ????
???? ???????? ???? ???? ???? ???? ????
???? ????????? ???? ???? ???? ???? ????
??? ???????? ??? ?? ?? ??? ??
NEWSLETTER NUMBER 11
**********************************************************************
Another festive, info-glutted, tongue-in-cheek training manual
provided solely for the entertainment of the virus programmer,
security specialist, casual bystander or PC hobbyist interested in
the particulars - technical or otherwise - of cybernetic data
replication and/or mutilation. Jargon free, too.
EDITED BY URNST KOUCH, late December 1992
**********************************************************************
TOP QUOTE: "God Bless America and cry 'freedom' as you punch
me on the nose."
--Harriet Timson in the December
1992 issue of Virus News Intn'l.
IN THIS ISSUE: NOOZ . . . product reviews: AVLAB 1.0 and
Victor Charlie 5.0 . . . FICTUAL FACT/FACTUAL FICTION . . .
IN THE READING ROOM: POPULAR SCIENCE SEARCHES FOR BATCHFILE
VIRUSES and "GATES" - A GOOD DOORSTOP . . . Leech-ZModem .
. . POPOOLAR SCIENCE virus . . . HITLER virus . . . NECRO
virus . . . LITTLE MESS virus . . . Edwin Cleton's software
psychobabble . . . DAVE BARRY v. MICHELANGELO virus . . . the
usual clever (or dumb - depending how you look at it) wit . . .
************************************************************
NOOZ: OUTGOING PREZ URGED TO LOOK TO INTEGRITY OF WHITE
HOUSE DATA
************************************************************
Reuters News Service reports that two U.S. senators, Democrats
John Glenn and David Pryor, have urged George Bush to prevent
destruction of White House computer records during the transition
to the Bill Clinton administration.
In a letter to the lame-duck, the senators claimed that sensitive
data faces "a significant risk of destruction."
The astute reader is encouraged to read between the lines
and jump to the conclusion that the Democrats are concerned
about the mutilation of electronic files generated by the
National Security Council during Iran-Contra.
In any case, worried Democrats are advised to be on the lookout
for unexplained junkets to Colombia and vieled references to the
"Ghost of la Catedral" during the waning days of the Bush
presidency.
***************************************************************
-*-
Page 1
*****************************************************************
CONSECRATED PSYCHOBABBLE: EDWIN CLETON's CODE EXECUTION SIMULATOR,
OR: HOW -*NOT*- TO WRITE A SOFTWARE MANUAL!
*****************************************************************
Last issue's readers may remember a passing infoblip concerning
the naming of one Edwin Cleton as the Fidonet Virus echo moderator.
In related news, a dedicated reader dug a Cleton/Saesoft shareware
anti-virus program known as the Code Execution Simulator (CES)
out of the trash and passed it on to the Crypt Newsletter.
From what we could tell, it was "supposed" to be a $40 cash money
heuristic scanner. In any case, CES refused to function at the Crypt
editorial offices in any logical manner. (Could be someone's
pulling our leg! Hah!) And the accompanying
documentation was, well . . . you can read it for yourself:
-=[ravings starts here]=-
CES (Tm) Code Execution Simulator.
=*===*===*===*===*===*===*===*===*===*===*===*===*===*===*===*==
"Gather enough information and the solution will be obvious."
S.B. 1988
"A virus can NOT be detected BEFORE execution, it can only be
detected AFTER or WHILE execution, which is at the moment to
late, however, to detect anything for that matter, you need to
execute it first before there will be *anything* to detect."
E.C. 1990
"Mate(s) it simply makes sense, make a backup..."
The stages of development;
=*===*===*===*===*===*===*===*===*===*===*===*===*===*===*===*==
The object is to create rules related behaviour, consistent to
such an instruction or event of instructions in order to deter-
mine if *something* is happening, the order of what this *some-
thing* is, is yet to be defined by the sub-rules who are (to be)
generated out of the strain that started the initial behaviour.
Consistent rule related behaviour is *never* predefined, thus
the object or statement 'will never work well enough' is irre-
levant to it's initial base, whether or not *a* rule 'works' is
of no concern to the CES model, for the intention is to create
such *working* rules related to any behaviour it will derive, if
not, the initial rule is dropped and this has yet to happen.
To create such rules, there base must be optained at the lowest
level and gradualy go upwards to become *ideal*, each rule and
the sub-rules related must be dedicated to one single predefined
*instuction* or event of such instructions.
The lowest level based rule *must* effect it's sub-rules or if
and when needed, create such, a sub-rule will and can eventually
link with other sub-rules, somewhat like a neural network, once
each level expands and thus also there related strains into the
*rule network*, some point must be given to hold it at a given
time, backtracking each level will then (and only then) result
in *a* logical deducting 'intelligent' rule based CES system.
Page 2
The CES model is not a debugger, if *a* program executes, it
will do the same inside CES's environment, undocumented instruc-
tions are of no concern, as they *are* documented somewhere and
can be included along the line they appear, if not, CES will
simply halt requesting manual instructions, which in turn can be
solved on the same line they appear.
The *model* should provide in it's own complexity to amphase the
creation of direct logic solutions to any given problem, or
abort complexity.
Scanning for prototype of code is a waste of time, recording and
detecting behaviour isn't, yet you have to define normal and
abnormal behaviour.
-=[ravings end here]=-
----------------------------------------------------------------
Hah??? "Amphase"? How about "aphasic"! Don't be frightened readers!
Yes, indeed, you are right! It IS impenetrable crap!
As a wise man from Holland once said, "Kannitverstann!"
_________________________________________________________________
*****************************************************************
CAIRO RESEARCH'S AVLAB 1.0: A PRODUCT WALKTHROUGH
*****************************************************************
Tired of lunatic contributors to Virus-L and the Fido Virus
echos sniping at your carefully reasoned analyses like junkyard
dogs tearing at pieces of rotten, greasy meat? Then, Cairo
Research's AVLab 1.0 is just the thing for you - a program designed
to buttress your arguments over the efficacy of anti-virus scanners
with the cold, unforgiving steel of statistics.
In its broadest function, AVLab works like a shell, automating
scan testing of virus-laden directories and tabulating the
results. Throw 300 virus samples into a test directory, add
a scanner of interest (Cairo has already supplied 5 slots
for the more common products: SCAN, TBScan, F-PROT, etc.)
and use the drop down menus on the interface to begin testing.
AVLab manufactures a result, like so:
Product Name: Hits Miss HitVersion
????????????????????????????????????????????????????????????????????????????
McAfee Associate's ViruScan ? 78? 5? 93.98?90.99 ? Best!
Solomon Toolkit's FindVirus ? 70? 13? 84.34?4.31 ?
Leprechaun's Doctor ? 57? 26? 69.00?3.76 ? Worst!
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
? ? ? ? ?
????????????????????????????????????????????????????????????????????????????
Averages ---> ? 68? 15? 82.44? ?
????????????????????????????????????????????????????????????????????????????
83 samples in 1 directories
Page 3
Little could be more straightforward. Of course, you're left
to ponder the meaning of it yourself; factors like
how random were the choices from your virus library, how
reliable the results taken from a scan of less than 2,000
MtE samples, how out-of-date the scanner (Leprechaun 3.76 is
over a year old. Not a bad score, wouldn't you say?) - all
must be considered. AVlab will get you into the ballpark,
though, and keep you waist deep in e-mail from the matrix
as long as you let it.
The only hard part about using AVLab is initially programming
the command line switches to software not already included in
the pre-configured slots. And that's trifling.
AVlab will also read those VIRSCAN.DAT files that come with
a few European a-v scanners, presenting them in a
scrollable database far prettier than the straight original
text. You can add your own note to each virus in the
database, too. Strangely, this was where the only bug in my
version cropped up. I added a note to one specimen and it
bled through to every virus listing in the database.
The program is well-mannered, its documentation brief and to
the point. AVLab's an unique example of a "niche"
product: Perhaps just the thing to help you persuade a
potential client that you're ready to go into the anti-virus
scanner certification business. For a fee, of course. ;-)
It's $30 cash money as registered shareware from Cairo;
the same folks produce a virus-info BBS door and a few
direct-action research viruses featuring interesting encrypted
messages like "Rock o' the Marne, sir!"
AVLab 1.00 is supplied at the Cairo Research support BBS's:
Under the Nile! 9600v.32 1:3613/12
Backwoods BBS 9600USR-DS 1:3613/10
***************************************************************
***************************************************************
MORE HACKER CRACKDOWN: THOSE WHO DON'T REMEMBER THE PAST
TEND TO REPEAT IT
***************************************************************
In a December news piece from the Associated Press, Kevin Poulsen,
a former Silicon Valley computer worker, was reported as
charged with stealing Air Force secrets that allegedly included a
targeting list - a computer tape containing an order for a
military exercise code-named Cabre Dragon 88.
The 27-year-old Los Angeles resident was named in a 14-count
indictment that includes a charge of gathering defense information.
The punishment associated with conviction calls for 7 to 10 years
in prison.
An unnamed colleague faces lesser charges of unlawful use of
telephone access devices, illegal wiretapping and conspiracy.
Poulsen's lawyer, Paul Meltzer, claims the data secured by his
client was not sensitive and that it was reclassified by government
officials to secure an easy prosecution.
Page 4
Poulsen's prior history, according to AP, included 1989 charges
for stealing telephone access codes from a Pacific Bell office,
accessing Pacific Bell computers, gathering of unpublished phone
numbers for the Soviet Consulate in San Francisco; trade of
stolen telephone access codes and eavesdropping. He was free until
April 1991, when a tip generated by a TV show led to his
arrest. Poulson has not yet been tried for these charges;
a court date is set for March.
Without knowimg much more about the particulars of this news
piece or Poulsen, it is still worth going over the alleged theft
of a military targeting list in slightly greater detail. Consider
the value of any stolen strategic or tactical (Presumably nuclear:
when the Air Force uses the euphemism "targeting list" it is
almost always in the context of nuclear war-fighting.)
targeting list with these points in mind:
1. The U.S. is not at war and faces no obvious enemy.
2. Familiarity with any number of publications
on Air Force tactical and strategic planning leads one
to realize that any targeting list generated by
military planners tends to contain several hundred
to thousands of points. Armed with that knowledge,
any citizen equipped with a good tourist map
could generate his own plan which would be expected to
have considerable overlap with any military list.
What "secret" value do any of these lists have?
It is tempting to think of Poulsen's stolen list as
another probable "E911 BellSouth"-type document. Worth about
$20, if anyone would be interested in it.
***************************************************************
***************************************************************
REVIEWING VICTOR CHARLIE 5.0 FROM BANGKOK SECURITY ASSOCIATES:
NOW, REPEAT AFTER ME, "OWATTA GOO SIAM!"
***************************************************************
"The World's First Generic Anti-virus Program!" claim Bangkok
Security Associates of Victor Charlie 5.0. While it would
never get past the desk of an American adman, it made us
smile.
Sure, it's a dumb boast. But so what! The PC world is full of
'em.
In any case, Victor Charlie works on the premise that all the
serious viruses of the future will be memory resident. Fair
enough.
So it offers its body up as bait to a resident virus, using itself
and two "sentry" executables as targets of infection. When infected,
Victor Charlie attempts to go on the attack. It grabs a signature
from one of its infected files, adds it to a generic scanner/
integrity checker, prompts the user to scan the disk and delete
files found to be infected or changed, regenerates itself and then
forces a cold reboot.
Page 5
It's not a bad approach. Victor Charlie 5.0 detected, disarmed
and deleted a raft of resident viruses and files infected by them.
Jerusalem variants, Npox variants, the Hitler virus (in this issue),
ARCV's Scroll - all fell quickly to VC 5.0. Sandwich, a marginal
stealth virus - as were Scroll, Hitler and NPox - was also quickly
disposed of. Viruses using advanced encryption were slightly more
successful. The polymorphs Pogue Mahone and and Coffeeshop 2 were
detected in memory and purged by reboot. Predictably, VC could not
generate usable signatures from them. The program's back-up, a
VERY SLOW integrity checker, detected files changed by the
polymorphs and flagged them. By reading the documentation a more
doltish user could, in theory, figure out the proper course of
action.
Victor Charlie's other major feature was its "protection" of
user-selected programs. Essentially, this translates as: let
the program make a back-up of your favorites, stash them
somewhere else on the disk under different names and restore
them when changes are detected in the originals. Not exactly
novel, but at least guaranteed an almost 100(null)uccess rate
when usable.
It provides similar protection for the hard file's system
area and a utility seemingly analogous to MS-DOS's FDISK /MBR
option.
The program's Lao-Tse (I couldn't resist this awful pun!) points:
1. Victor Charlie cedes the playing
field to direct action viruses. It relies on it's integrity
checker and self-generated audit of infection trails to
eliminate them. In light of the speed of the program, this
is a tedious, frustrating process all out of proportion to
the actual threat.
2. VC 5.0 won't detect companion (spawning) viruses.
3. The program would not generate a "rescue disk" as advertised.
It flat-out refused to work for us.
4. And the installation/initialization procedure hinged on
extended batchfiles which had to be poked and prodded in ways
not obvious to the average PC user. (I.E., only fanatics
and programmers - people who don't need this program - would
get it to function in real world situations.)
Bangkok Security Associates asks for $50 in registry. We don't
think this is a good buy . . . unless you crave a challenge.
In fact, its ridiculously priced considering the competition.
The Crypt recommendations to Bangkok Security Associates (remember,
advice is often worth exactly what you pay for it): knock $15 off
the fee, make the install program work, lay off the Thai sticks
when composing the documentation and see us in 6 months, dudes.
**************************************************************
--------------------------------------------------------------
FILE LEECHING MADE EASY: A HALLOWED TRADITION SERVED BY THE
PUBLIC DOMAIN TECHNOLOGY OF LEECH-ZMODEM
______________________________________________________________
Until now, you may have been at the mercy of your local "warez
dood" - beholden to his every whim for the file points YOU
Page 6
NEEDED like life's blood itself for your obsessive-compulsive
piracy habit. But now, you can strike back with a tool previously
used only by the very "elyte"! In the grass-roots tradition of
individual empowerment, Crypt Newsletter supplies YOU with
the Leech-Zmodem, a tool designed to optimize your neo-psychotic
problem, at the same time creating bookkeeping headaches for
pirate BBS's everywhere!
LZMCNF.SCR and LZM.SCR will recreate the Leech-Zmodem programs
for you. And, with the help of the pre-made batchfiles, QMOD.BAT
and PCOMM.BAT (see additional documentation in endnotes), we give
you the complete drop-in package of Leech-Zmodem for those using
the popular ProComm Plus and Qmodem Pro telecommunications software.
Place these files in your telecommunications directory, disable the
auto-Zmodem download option if it's turned on, and you're ready
to leech by calling the program from your ProComm or Qmodem menu!
Configuring Leech-Zmodem couldn't be simpler. Go to your
DOS prompt in the Leech-Zmodem directory. Type: LZMCNF.
The configuration program will come up and you will answer a
few simple questions as to color preference, bps rate and
COM port address. When asked about method for "cancellation,"
choose "s" for single-file download. Now you are ready
to go, go, go!
How does Leech-Zmodem work? Dial your local "warez board,"
preferably one where you already have an account but, perhaps,
not the file points you think you so richly deserve.
Select a "ware." Pick one that will use up almost
all your precious file points! Go ahead! Instruct the "warez
board" to send it. Activate your Leech-Zmodem (here you should
have ALREADY de-activated your auto-Zmodem download). The
colorful Leech-Zmodem menu should appear on your monitor,
showing you the progress of your transaction. Now watch closely!
The file is almost finished. What's that? Leech-Zmodem is
springing into action, squaring the file away while sending a
bogus error code which instructs the host software that the
transfer was "aborted." Now, check your file points. They
are untouched! The host software takes nothing away for "aborted"
transfers. But you have the file, anyway! Victory is sweet!
Logoff at once and find another BBS to try it on, now that you've
got the hang of Leech-Zmodem!
We are sure you see the potential of Leech-Zmodem! Use it knowing
that we've tested it successfully on a number of popular softwares
including Telegard, Vision-X, Celerity, PCBoard and WWIV, among
others. And after reviewing the documentation of these BBS
packages, we can tell you with some assurance that the authors of
these programs remain uncognizant of the special challenge posed by
Leech-Zmodem.
However, a few caveats:
1. Don't be a chump and throw away your winning hand by attempting
to download 20 files in one session. Even the densest sysop's
will be alarmed when they review their daily log and see that
long audit trail with that curious string of "aborted transfer"
notations. Spread your attention to many. Use Leech-Zmodem
strategically, interspersing parasitic behavior with the
occasional "regular" session.
Page 7
2. Try to avoid using Leech-Zmodem when you've got a hunch that
the sysop is staring directly at his monitor. While some sysops
will never grasp what is going on in "real-time," it's unwise
to walk in harm's way.
3. If you are confronted by a sysop who has caught on to what
you are doing, try buying him off by offering him his own copy
of Leech-Zmodem! Often, this tactic will work.
4. Leech-Zmodem works fine on public domain, pornography
and virus exchange BBS's, too. It excels on any system dedicated
to a "file-server" mentality.
5. If you have your own BBS, you can protect yourself from Leech-
Zmodem by using the -S (for SlugBait) command-line switch when
calling your Omen Technology DSZ Zmodem program. SlugBait was
designed by Chuck Forsberg to trap programs like Leech-
Zmodem by putting a notation in the transfer log that the session
is "questionable" when aborted with the pattern common to Leech-
Zmodem. If your registered version of the program supports this
feature, DSZ will tell you when something is rotten in Denmark.
6. Leech-Zmodem is a one-way program. It will only handle
Zmodem file transfers from the sending BBS to you.
The history of Leech-Zmodem is spare. The program appeared
on various underground BBS's about a year ago, so it's
not particularly new. However, it works and is likely to
remain effective for some time. Even now, we know of BBS'er's
who use Leech-Zmodem on an almost daily basis. So, you can thank
Leech-Zmodem's anonymous author for this "interesting" and
valuable addition to your hard file.
**************************************************************
IN THE READING ROOM: POPULAR SCIENCE/POPULAR SCHMIENCE
**************************************************************
Dateline: A passing comment carried on the winds of the WWIVnet
from alert reader, Mr. Badger:
Wh? : Mr. Badger
Wh??: Monday, December 21, 1992 2:09 PM
?r?m: Dream World BBS [ASV] (South Carolina)
FYI, there's a little article in the January 1993 Popular
Science on "Stalking Stealth Viruses". Pretty basic, but one
quote should win a Sigmund Freud Anal Retentive Award from the
Crypt Newsletter:
"Viruses threaten to rattle the underlying confidence people
now have in computers...And if people stop relying on computers,
that's everybody's problem."
-Peter Tippett, president, Certus International
Sheesh, quotes like that need to be on recruiting posters for
future hackers.
-----------------------------------------------------------------
Whoah! That got our attention so we rushed out to the nearest
newstand for our own copy of January's Popular Science. Sure
enough, an article on "stealth viruses" accompanied by a truly
Page 8
freaked-out piece of artwork and the subhead: "Forget all the
hype over Michelangelo. 1993 may be the year that a new breed of
less visible but more sophisticated viruses begin to slip into
thousands or even millions of PCs."
But you already know the punchline to this story, because you
swallowed it in March. It's a hook to catch the general reader -
nowhere does Popular Science deliver any support for the claim.
And the stealth viruses trotted out? Whale, 4096, Joshi,
NoInt (I suppose), DIR-2, Cascade (a stealth virus?); all well
characterized programs, all controlled by even the most inept
anti-virus software. Of course, reporter Christopher O'Malley
never really gets around to hipping the reader to this fact.
The "Mutating [sic] Engine" is on hand, too. Even Mrs. Urnst Kouch,
an avowed computer-phobe was startled.
"Mutating Engine?" she asked. "That's not right, izzit?"
To be fair, O'Malley's piece is an earnest, if fumbled, stab at
good science reporting for a general readership. It's the kind of
technical news we USED to be able to expect occasionally from our
better national newspapers rather than the current stream of
rah-rah "journal article of the week" swill. And we realize, too,
that the level of technical understanding in the average reader of a
newstand magazine dictates that he may consider any computer
virus close kin to a demon.
But even that rationalization pales as an excuse for "dumbed-down"
work when the reader finally gets around to examining Popular
Science's version of a demo virus, BFV (for "batch file virus").
"INFECTED BATCH FILES WILL INFECT OTHER BATCH FILES WHEN RUN!"
warns the magazine ominously. "If an infected batch file were
to be passed from one user to another, the new user's batch files
would become virus carriers as well," reporter O'Malley writes.
We were sure this was unadulterated crap, in light of the rest of
the article and, indeed, BFV.BAT was a flop.
Its "virus" batch file code, in essence was:
FOR %F in (*.BAT) do copy %F + BFV.BAT .
Executing this code as the batchfile, BFV.BAT, in a directory
full of .BAT files merely mutilates all of them, appending
the above line to every one. Executing any of the "infected" files
at once locks the machine into an endless, rather obvious, loop
as the "infected" .BAT file recursively appends the line in BFV.BAT
to itself and its companions. (This is due to the way that DOS
processes the FOR command and the "variables" %F in the set,
*.BAT. Don't worry about the jargon. Try the experiment and see
for yourself.)
Further, removing any of the "infected" files to a different
directory off the machine's path (or a different machine, as
suggested) results in . . . nothing. None of these files can
do anything by themselves - hardly virus-like. This
leads to the next question: Did the reporter even test his
own "batchfile virus"? Apparently not is the logical answer.
The science writer, leery of his own batchfile "virus." Well,
Page 9
isn't that just special?
[In any case, the Crypt Newsletter editors have whipped up a
quick .BATfile "virus" of their own, POPSCI.BAT. In actuality,
it is a "launcher" for a specially-commissioned-for-this-issue
"Popoolar Science" virus. Popoolar Science, unlike BFV.BAT, does
work. It will mutilate your .BAT files, your executables and
your data in its search for files to infect. And it will spread
from infected programs to other uninfected files, just like any
normal virus. You can search for it with a real anti-virus
program and, in general, watch it do things a number of
viruses in the wild can do. (See end notes for further details.)]
*****************************************************************
READING ROOM II: "GATES: HOW MICROSOFT'S MOGUL ETC., ETC., BLAH,
BLAH, BLAH" by STEPHEN MANES & PAUL ANDREWS (DOUBLEDAY, hardbound,
$25 cash money)
*****************************************************************
As you might guess, "Gates" is about Chairman Bill, Bill - the
brightest man I've ever met, genius Bill, Bill - the master
convincer, Billion-Dollar Bill, Supercalifragilisticexpialadocious
Bill. In other words, it's a 500-page blowjob.
Manes and Andrews insist that Gates exerted no editorial control
over their work. After reading "Gates," this is an unbelievable
claim. There's one paragraph devoted to Chairman Bill's legendary
crummy personal hygiene. Bill can't do more than one thing at a
time while washing his hair, say Manes and Andrews, so he doesn't
shampoo too often. It's flabbergasting trivia like this that
sinks "Gates." In spite of "access" - there's no feeling that
these two clowns know anything more about Microsoft's boss than you
or me. DESPITE pages and pages worth of Bill coding BASIC,
Bill having a screaming fit, Bill buying a Porsche, Bill having
a cat fit, Bill getting ticked at Borland's Philippe Kahn, Bill
having an apoplectic fit, Bill flying to Armonk, NY; Bill having
a shit fit, Bill going to ComDex, Bill making his first million,
Bill having a yelling fit, Bill making his first billion
(gaaaaaaah!), "Gates" is a dull-to-the-point-of-mind-roasting read
filled to the gunwales with sickeningly cutesy, purple prose.
If you wanna know about Gates, save $20 and get Robert X. Cringely's
"Accidental Empires" (Addison-Wesely). Pass on this dreck.
****************************************************************
THIS ISSUE'S SOFTWARE: A CORNUCOPIA OF COMPRESSED ELECTRONIC JOY!
****************************************************************
The NECRO (SKULL) virus is included as another example of
what can be done with the Virus Creation Laboratory and Phalcon/
SKISM Mass Production Coder. Suprisingly, the most recent version
of SCAN does not flag files infected by NECRO - revealing that
either McAfee is slipping or there is more to either code set
than the mainstream "authorities" would have you believe. We
think the latter explanation is closer to the truth. You will
also enjoy the novel manner in which NECRO toggles between being
a .COMfile appending virus and an .EXE-overwriter: a good example
of being creative and imaginative within the constraints of
a simple model.
Page 10
Since NECRO is a run-time infector, it is rather easily
detected by any functional file integrity monitor. To eradicate it,
delete all files altered by either form of the virus.
The HITLER virus is a product of Demoralized Youth, apparently
a Scandinavia-based group. It is a large-ish memory resident
.COM infector which is marginally "stealthy," that is the
virus subtracts its file size from infected files when the
PC user employs the "dir" command. You can execute it safely
with this in mind: .COMfiles are infected upon load, the
command processor can be successfully infected, and file size
changes are invisible when the virus is present in memory.
If the user has the presence of mind to record his machine's free
memory before the virus is called, a simple MEM /C command will
reveal the presence of the program - HITLER creates a quite
noticeable 5k drop in available memory.
HITLER contains no destructive payloads per se. It does, however,
install its own routine which runs off the machine timer
tick interrupt.
When conditions are right, a vocal effect - some goon shouting
"Hitler!" - is sent to the PC internal speaker card.
It is quite repetive and annoying. On some machines, all that
is heard is speaker buzz. (See the HITLER virus source
listing for more notes.)
Interestingly, an highly placed source informs the newsletter
that the HITLER virus will probably not be called
that as it finds its way into many anti-virus programs.
Presumably, it will be renamed to avoid offending those with
thin skins in Europe, thus keeping it in line with new virus
nomenclature rules designed to avoid offensive titles.
(Remember the stink generated about
CASTLE WOLFENSTEIN.) Aaah, the sociology of computer
virology never ceases to fascinate.
POPOOLAR SCIENCE is a primitive overwriting virus.
It is supplied only in the batchfile, POPSCI.BAT., and its A86
source listing. Experienced Crypt Newsletter readers uncaring of
the A86 assembler can strip the DEBUG script from POPSCI.BAT
with any minimally functional text editor and create a separate
DEBUG script for the virus. POPOOLAR SCIENCE restricts itself
to its current directory (unless on the path and called from a
different one), displays an endorsement of Popular Science
magazine everytime it is executed and overwrites all files
in the current directory instantly, ruining them if they
are data and making them copies of POPOOLAR SCIENCE if
programs. This renders it a nuisance on the same order as the
much smaller DEFINE and MINISCULE series of viruses. However,
while easily tracked, POPOOLAR SCIENCE can make a shambles of
a system quickly and explosively, if stupidly handled. Executing
the batchfile POPSCI.BAT will cancel the monitor, assemble and
launch POPOOLAR SCIENCE virus in the current directory. All files
will be infected in the current directory as soon as the
message "Popoolar Science Roolz!" is displayed on the screen
and the user is returned to his command prompt. The virus
does not check if the file is a program or data; it does not
check if the program has already been infected. We feel
none of these features are needed in a kamikaze demo program
of this nature. [Additionally, the MS-DOS program DEBUG.EXE
must be present on the path or in its default location for
Page 11
POPSCI.BAT to work.]
LITTLE MESS is a bird of a different feather.
Produced by the Dutch virus-writing group, TridenT, LITTLE
MESS has a specific target: the TELIX telecommunications
program. Written in SALT, TELIX's scripting language,
LITTLE MESS is a spawning virus attracted to compiled
applications scripts in the TELIX directory (of which there
are always two-three laying about). LITTLE MESS renames any
of these compiled files with an .SLX extension and then makes a
duplicate of itself renamed as the script it is replacing.
When the infected script is used, LITTLE MESS quickly does
its thing and then calls the .SLX script to complete its
task. When all the compiled TELIX scripts are infected,
further use during a TELIX session will cause LITTLE MESS
to flash a "Legalize Marijuana! -TridenT" message
on the screen, boxed out in the usual TELIX message form every
one in eight executions.
Of course, LITTLE MESS cannot spread outside of the TELIX
program or find its way onto another machine unless friends
exchange compiled scripts.
LITTLE MESS is unnoticeable in TELIX sessions; the .SLX files
easy to overlook. Some integrity checkers can be set to
find LITTLE MESS, but we think this very unlikely in general
practice. LITTLE MESS is an extreme, yet intriguing example of
a "niche" virus. LITTLE MESS is removed from TELIX directories
by deleting all .SLC files which have an .SLX counterpart. The
.SLX files are then renamed with .SLC extensions.
LITTLE MESS cannot execute outside the TELIX environment. As
a compiled "script," it can only operate within the TELIX
"Go" command.
The TridenT group has also produced the Coffeeshop
(Trivia: "Coffeeshop" is a place one goes to purchase
dope when in the Netherlands. I wonder if these guys have
any David Peel records?) series of viruses, the advanced
encryption device called the Trident Polymorphic Engine used in
the Coffeeshop 2 and 3 viruses, and a number of other things.
The QMOD.BAT and PCOMM.BAT files are "drop-ins" for those
wishing to use in Leech-Zmodem with the popular Qmodem or
ProComm Plus telecommunications softwares. QMOD presumes
a download directory named DL off a QMODEM home directory,
but this is easily edited to a user's taste. The key
command after calling the Leech-Zmodem program is "c=s",
which sets "file cancellation" to single mode. Most
every other variable can be set by the Leech-Zmodem
configuration program, LZMCNF.EXE. Quite naturally, once
the Leech-Zmodem files have been copied into your
telecommunications directory you will activate the program
through the "external protocols" menu.
For example, PCOMM.BAT would be installed by going into
ProComm Plus's SETUP (keyboard ALT+S), and highlighting
PROTOCOL OPTIONS. After entering that menu, the sub-menu
EXTERNAL PROTOCOLS would be chosen. Leech-ZMODEM can be set up
in either one of the 3 external protocol slots. In the first slot,
setup should look like:
Page 12
A - Name...............Leech-Zmodem
B - Type...............PROGRAM
C - Upload Command.....(leave blank) <--Leech-Zmodem won't u/l
D - Download Command...PCOMM.BAT (or whatever)
Simple? You bet.
************************************************************
GOSSIP WHICH COMES OUR WAY: FICTUAL FACT/FACTUAL
FICTION?
************************************************************
Virus exchange sysop Aristotle, informal head of the Vx
echomail network, informs the Crypt Newsletter that he
is putting his collection of over 2000 viruses up for sale
to interested buyers. Inquiring parties will have the
option of downloading the Aristotle collection from
The Virus/Black Axis BBS at high speed. Aristotle tells
us he has consulted widely with a number of law enforcement
agencies on various aspects of the Vx network, conspiracy
and the trade of dangerous code and has decided to charge
for access to his code library.
The independent comic book publishing house, Dark Horse, will
produce a 4-book series called "Virus." "Virus" tells the
story of an alien computer virus which commandeers a Japanese
warship and begins conducting experiments on its crew. More
on this when we get copies.
More in the weird life of PROTO-T: A momentary fart from from
the FidoNet, honest!
"It appears as though there are several versions of [PROTO-T]
floating around the country. The most notable being the
one authored by Edwin Cleton. Yes! The moderator of this here echo.
I learned this only recently...Oh well, What's the world coming to?
EDWIN LIVES SOMEWHERE IN TIME....
ELToTSiRA"
In case you haven't been following the PROTO-T "story," it's
too late now to bring you up to date, so just forget it, OK?
40HEX issue #9 available on good newsstands now.
The Youngsters Against McAfee Instant Virus Producer is a
virus-making tool modelled after the PS-MPC and VCL.
The IVP, as it is called, generates TASM-compatible
source code for as yet unscanned direct action .COM and
.EXE-infecting viruses. Each virus listing generated is
peppered with a number of randomly-generated "no op" codes.
The demonstration virus included with the IVP tool scans as a
Virus Creation Laboratory variant if the garbling "nops"
are removed.
[If you have something you think is of interest to our
readers, pass it on and we will include it in future
"FICTUAL FACT/FACTUAL FICTION" columns.]
Page 13
*************************************************************
HUMOR BREAK: THREAT OR MENACE?
*************************************************************
A look back at March 1992 and the Michelangelo scare:
an extract from Pulitzer-winning humorist Dave Barry's annual
year end wrap-up (distributed by Knight-Ridder Newspapers).
MARCH
1 -- Pat Buchanan wins the Austrian primary.
2 -- Saddam Hussein appears on "Larry King Live."
3 -- Business and academic professionals around the world are
gripped by panic following dire warnings from numerous experts
that tens of thousands of computers could be infected with the
dread Michelangelo virus, set to strike on March 6.
4 -- A grim President Bush places U.S. armed forces on Full Red
Alert in preparation for expected onslaught of the dread
Michelangelo virus.
5 -- Highways leading from major metropolitan are hopelessly
jammed by millions of fear-crazed motorists fleeing from the
oncoming Michelangelo virus.
6 -- As predicted, the dread Michelangelo virus erupts,
wreaking untold havoc on an estimated one computer belonging to
Rose Deegle, of Rochester, N.Y., whose Christmas card list
is nearly wiped out. Vice President Quayle jets in to oversee
the relief effort.
8 -- Michelangelo appears on "Larry King Live."
**************************************************************
ROLL THE END NOTES!
Thanks and a tip o' the hat go to alert Crypt Newsletter
readers Primal Fury, Captain AeroSmith, Beach and Mr. Badger
for their timely contributions to this issue.
Software included with the Crypt Newsletter falls under
the catch-all term dangerous code. In the hands of
incompetents and experienced PC users, many of
the programs can and will foul the software resources of
of a computer, most times irretrievably. Much of the
code supplied is designed solely for this purpose.
Why then, the newsletter? There are many reasons, but one
which sheds a little light on the matter is illustrated
by this brief bit of e-mail from the FidoNet.
" ..but, could you provide me with info on how I can get
copies of existing viruses for research purposes?"
As a new user you will not know that there is a rule here
completely forbidding the trade in virus samples. I expect you
will already have had a hostile message about baseball bats
from kindly Mr Cleton.
However, I think I am within my rights to explain. There
is an unwritten convention here that dictates that to be come
an accepted, respectable virus researcher you must first go to
a Virus Exchange bulletin board or other underground outlet
and obtain as many live virus samples as you can. Then you
can say you already have an extensive virus library and folks
on here will take you seriously and swap viruses with you. No
Page 14
one will ever admit this but it was the only way I could
break into the field....
--------------------------------------------------------------
"I see!" said the blind man as he picked up his hammer and saw.
--------------------------------------------------------------
To assemble the software included in this issue of the newsletter,
copy the MS-DOS program DEBUG.EXE to your current directory,
unzip the newsletter archive into the same directory and
type MAKE at the DOS prompt. The included batch file will
recreate all the software with the exception of the POPOOLAR
SCIENCE virus. DO NOT EXECUTE -=POPSCI.BAT=- IN THE SAME
DIRECTORY AS THE REST OF YOUR NEWSLETTER FILES OR THEY STAND
A GOOD CHANCE OF ALL BEING INSTANTLY RUINED. Move POPSCI.BAT to
a separate directory and read the documentation before you
begin to play with it. The A86 source listings to the
three viruses are also included for the more experienced
readers. If that seems like jargon to you, don't lose any
sleep over the .A86 files.
This issue of the newsletter should contain the following
files:
CRPTLT.R11 - this document
PCOMM.BAT - ProComm external protocol batch file for
Leech-Zmodem
QMOD.BAT - Qmodem external protocol batch file for
Leech-Zmodem
LZMCNF.SCR - Leech-Zmodem CONFIG program scriptfile.
LZM.SCR - Leech-Zmodem main executable scriptfile.
LTLMESS.SLC - compile form of LITTLE MESS virus
LTLMESS.SLT - SALT language source of LITTLE MESS virus.
POPSCI.BAT - POPOOLAR SCIENCE batch file virus launcher.
POPSCI.A86 - POPOOLAR SCIENCE virus A86 source listing.
HITLER.A86 - HITLER virus A86 source listing.
HITLER.SCR - HITLER virus scriptfile.
NECRO.A86 - NECRO (SKULL) virus A86 source listing.
NECRO.SCR - NECRO (SKULL) virus scriptfile.
MAKE.BAT - instant "maker" for this issue's software.
Ensure that the MS-DOS program DEBUG.EXE is in the
machine path or current directory, before
typing "MAKE".
You can pick up the Crypt Newsletter at these fine BBS's, along with
many other nifty, unique things.
CRYPT INFOSYSTEMS 1-215-868-1823 Comment: Crypt Corporate East
DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate West
THE HELL PIT 1-708-459-7267
DRAGON'S DEN 1-215-882-1415
RIPCO ][ 1-312-528-5020
AIS 1-304-420-6083
CYBERNETIC VIOLENCE 1-514-425-4540
THE VIRUS 1-804-599-4152
NUCLEAR WINTER 1-215-882-9122
UNPHAMILIAR TERRITORY 1-602-PRI-VATE
THE OTHER SIDE 1-512-618-0154
MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564
ADAM'S CONNECT POINT 1-210-783-6526
STAIRWAY TO HEAVEN 1-913-235-8936
THE BIT BANK 1-215-966-3812
Page 15
The Crypt Newsletter staff welcomes your comments, anecdotes,
thoughtful articles and hate mail.
You can contact us at Crypt InfoSystems or
at CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com
For those who treasure hardcopy, Crypt Newsletter is available as a
FAX subscription: $20 for a ten issue run. It can also be had as one
of those corporate-looking papyrus newsletters for the same price.
All inquiries should be directed to the Crypt Newsletter e-mail
addresses.
Page 16